c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

Analysis

max time kernel
177s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 19:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
Size

452KB
MD5

52beba36bc5b371193ec2a93a7986bbf
SHA1

47329ebd38f5baa4a6d47d552ae9a0ddfcf64305
SHA256

c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065
SHA512

86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d
SSDEEP

6144:K8XXRUw9Oz5+iUU03pej1YpTYzOb0kLXhlJFTaLTGu0yvHcr+JB8aULjPF:BnRy+ZyYpaCDJFuPyAHcqrUV

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xsglwjgvhcq.exe

UAC bypass 3 TTPs 12 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	psxdmq.exe

Adds policy Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "ewqljcrupehmkzuryxske.exe"	xsglwjgvhcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxdmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgztqiwysgimjxrntrlc.exe"	xsglwjgvhcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "bodtmakiyiggzjzr.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxdmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodtmakiyiggzjzr.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxdmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxpkammeqqsnzrlpl.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "iwmdxmxwnyxysdunq.exe"	psxdmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxdmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskdzqdexklokxqlqng.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "rgxpkammeqqsnzrlpl.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "iwmdxmxwnyxysdunq.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxdmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgztqiwysgimjxrntrlc.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "cskdzqdexklokxqlqng.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "cskdzqdexklokxqlqng.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "bodtmakiyiggzjzr.exe"	psxdmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "ewqljcrupehmkzuryxske.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxdmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxpkammeqqsnzrlpl.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxdmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskdzqdexklokxqlqng.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "pgztqiwysgimjxrntrlc.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "pgztqiwysgimjxrntrlc.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxdmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgztqiwysgimjxrntrlc.exe"	psxdmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xsglwjgvhcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\iowfrybsb = "ewqljcrupehmkzuryxske.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\psxdmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmdxmxwnyxysdunq.exe"	psxdmq.exe

Disables RegEdit via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	psxdmq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	psxdmq.exe

Executes dropped EXE 3 IoCs

pid	Process
2848	xsglwjgvhcq.exe
3048	psxdmq.exe
1116	psxdmq.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	xsglwjgvhcq.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmdxmxwnyxysdunq.exe"	psxdmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	xsglwjgvhcq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birbowascg = "cskdzqdexklokxqlqng.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnzoyeykqkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodtmakiyiggzjzr.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewqljcrupehmkzuryxske.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskdzqdexklokxqlqng.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgztqiwysgimjxrntrlc.exe ."	xsglwjgvhcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "ewqljcrupehmkzuryxske.exe"	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxpkammeqqsnzrlpl.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scobrcjerytqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgztqiwysgimjxrntrlc.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnzoyeykqkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxpkammeqqsnzrlpl.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "cskdzqdexklokxqlqng.exe"	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgztqiwysgimjxrntrlc.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "bodtmakiyiggzjzr.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmdxmxwnyxysdunq.exe ."	psxdmq.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	xsglwjgvhcq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weoznwbufkd = "ewqljcrupehmkzuryxske.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskdzqdexklokxqlqng.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "rgxpkammeqqsnzrlpl.exe"	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodtmakiyiggzjzr.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnzoyeykqkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgztqiwysgimjxrntrlc.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birbowascg = "ewqljcrupehmkzuryxske.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "rgxpkammeqqsnzrlpl.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "pgztqiwysgimjxrntrlc.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "pgztqiwysgimjxrntrlc.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scobrcjerytqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmdxmxwnyxysdunq.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scobrcjerytqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodtmakiyiggzjzr.exe"	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birbowascg = "iwmdxmxwnyxysdunq.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnzoyeykqkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskdzqdexklokxqlqng.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "iwmdxmxwnyxysdunq.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "iwmdxmxwnyxysdunq.exe"	xsglwjgvhcq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birbowascg = "bodtmakiyiggzjzr.exe"	xsglwjgvhcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnzoyeykqkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskdzqdexklokxqlqng.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weoznwbufkd = "pgztqiwysgimjxrntrlc.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgztqiwysgimjxrntrlc.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "bodtmakiyiggzjzr.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "cskdzqdexklokxqlqng.exe"	xsglwjgvhcq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weoznwbufkd = "bodtmakiyiggzjzr.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "cskdzqdexklokxqlqng.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scobrcjerytqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwmdxmxwnyxysdunq.exe"	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birbowascg = "bodtmakiyiggzjzr.exe"	psxdmq.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	xsglwjgvhcq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birbowascg = "pgztqiwysgimjxrntrlc.exe"	psxdmq.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scobrcjerytqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgztqiwysgimjxrntrlc.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "iwmdxmxwnyxysdunq.exe"	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodtmakiyiggzjzr.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\scobrcjerytqg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskdzqdexklokxqlqng.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnzoyeykqkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewqljcrupehmkzuryxske.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bodtmakiyiggzjzr.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "rgxpkammeqqsnzrlpl.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weoznwbufkd = "rgxpkammeqqsnzrlpl.exe ."	psxdmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	xsglwjgvhcq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgztqiwysgimjxrntrlc.exe"	xsglwjgvhcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weoznwbufkd = "bodtmakiyiggzjzr.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\weoznwbufkd = "cskdzqdexklokxqlqng.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "cskdzqdexklokxqlqng.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\birbowascg = "bodtmakiyiggzjzr.exe"	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnzoyeykqkg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rgxpkammeqqsnzrlpl.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwdlwceu = "pgztqiwysgimjxrntrlc.exe ."	psxdmq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cgmtdij = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cskdzqdexklokxqlqng.exe"	psxdmq.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	psxdmq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	psxdmq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xsglwjgvhcq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xsglwjgvhcq.exe

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
92	whatismyipaddress.com
94	www.showmyipaddress.com
48	whatismyipaddress.com
56	whatismyip.everdot.org
86	whatismyip.everdot.org

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pgztqiwysgimjxrntrlc.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\iwmdxmxwnyxysdunq.exe	xsglwjgvhcq.exe
File created	C:\Windows\SysWOW64\cskdzqdexklokxqlqng.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\SysWOW64\pgztqiwysgimjxrntrlc.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\rgxpkammeqqsnzrlpl.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\ewqljcrupehmkzuryxske.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\pgztqiwysgimjxrntrlc.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\vojfeyosoeiondzxffbupl.exe	xsglwjgvhcq.exe
File created	C:\Windows\SysWOW64\bodtmakiyiggzjzr.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\iwmdxmxwnyxysdunq.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\ewqljcrupehmkzuryxske.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\cskdzqdexklokxqlqng.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\egkpxazmrqdsazelclqswbjmlyd.pem	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\rgxpkammeqqsnzrlpl.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\SysWOW64\cskdzqdexklokxqlqng.exe	xsglwjgvhcq.exe
File created	C:\Windows\SysWOW64\vojfeyosoeiondzxffbupl.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\SysWOW64\rgxpkammeqqsnzrlpl.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\iwmdxmxwnyxysdunq.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\vojfeyosoeiondzxffbupl.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\bodtmakiyiggzjzr.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\SysWOW64\bodtmakiyiggzjzr.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\iwmdxmxwnyxysdunq.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\vojfeyosoeiondzxffbupl.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\pgztqiwysgimjxrntrlc.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\cskdzqdexklokxqlqng.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\ewqljcrupehmkzuryxske.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\bodtmakiyiggzjzrtndqfvocmkakiiblbtvpfs.xqe	psxdmq.exe
File created	C:\Windows\SysWOW64\iwmdxmxwnyxysdunq.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\SysWOW64\ewqljcrupehmkzuryxske.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\SysWOW64\bodtmakiyiggzjzr.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\bodtmakiyiggzjzr.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\rgxpkammeqqsnzrlpl.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\cskdzqdexklokxqlqng.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\egkpxazmrqdsazelclqswbjmlyd.pem	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\bodtmakiyiggzjzrtndqfvocmkakiiblbtvpfs.xqe	psxdmq.exe
File created	C:\Windows\SysWOW64\pgztqiwysgimjxrntrlc.exe	xsglwjgvhcq.exe
File created	C:\Windows\SysWOW64\ewqljcrupehmkzuryxske.exe	xsglwjgvhcq.exe
File created	C:\Windows\SysWOW64\rgxpkammeqqsnzrlpl.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\iwmdxmxwnyxysdunq.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\vojfeyosoeiondzxffbupl.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\ewqljcrupehmkzuryxske.exe	psxdmq.exe
File created	C:\Windows\SysWOW64\vojfeyosoeiondzxffbupl.exe	psxdmq.exe
File opened for modification	C:\Windows\SysWOW64\bodtmakiyiggzjzr.exe	xsglwjgvhcq.exe
File created	C:\Windows\SysWOW64\rgxpkammeqqsnzrlpl.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\SysWOW64\pgztqiwysgimjxrntrlc.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\SysWOW64\cskdzqdexklokxqlqng.exe	psxdmq.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\egkpxazmrqdsazelclqswbjmlyd.pem	psxdmq.exe
File created	C:\Program Files (x86)\egkpxazmrqdsazelclqswbjmlyd.pem	psxdmq.exe
File opened for modification	C:\Program Files (x86)\bodtmakiyiggzjzrtndqfvocmkakiiblbtvpfs.xqe	psxdmq.exe
File created	C:\Program Files (x86)\bodtmakiyiggzjzrtndqfvocmkakiiblbtvpfs.xqe	psxdmq.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\pgztqiwysgimjxrntrlc.exe	psxdmq.exe
File opened for modification	C:\Windows\iwmdxmxwnyxysdunq.exe	psxdmq.exe
File opened for modification	C:\Windows\ewqljcrupehmkzuryxske.exe	psxdmq.exe
File created	C:\Windows\rgxpkammeqqsnzrlpl.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\cskdzqdexklokxqlqng.exe	xsglwjgvhcq.exe
File created	C:\Windows\cskdzqdexklokxqlqng.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\cskdzqdexklokxqlqng.exe	psxdmq.exe
File opened for modification	C:\Windows\bodtmakiyiggzjzr.exe	psxdmq.exe
File opened for modification	C:\Windows\rgxpkammeqqsnzrlpl.exe	psxdmq.exe
File opened for modification	C:\Windows\egkpxazmrqdsazelclqswbjmlyd.pem	psxdmq.exe
File opened for modification	C:\Windows\bodtmakiyiggzjzrtndqfvocmkakiiblbtvpfs.xqe	psxdmq.exe
File created	C:\Windows\bodtmakiyiggzjzr.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\iwmdxmxwnyxysdunq.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\iwmdxmxwnyxysdunq.exe	psxdmq.exe
File created	C:\Windows\bodtmakiyiggzjzrtndqfvocmkakiiblbtvpfs.xqe	psxdmq.exe
File opened for modification	C:\Windows\rgxpkammeqqsnzrlpl.exe	psxdmq.exe
File created	C:\Windows\egkpxazmrqdsazelclqswbjmlyd.pem	psxdmq.exe
File opened for modification	C:\Windows\rgxpkammeqqsnzrlpl.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\ewqljcrupehmkzuryxske.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\bodtmakiyiggzjzr.exe	psxdmq.exe
File opened for modification	C:\Windows\bodtmakiyiggzjzr.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\pgztqiwysgimjxrntrlc.exe	xsglwjgvhcq.exe
File created	C:\Windows\iwmdxmxwnyxysdunq.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\ewqljcrupehmkzuryxske.exe	psxdmq.exe
File opened for modification	C:\Windows\vojfeyosoeiondzxffbupl.exe	psxdmq.exe
File opened for modification	C:\Windows\vojfeyosoeiondzxffbupl.exe	psxdmq.exe
File opened for modification	C:\Windows\pgztqiwysgimjxrntrlc.exe	psxdmq.exe
File created	C:\Windows\pgztqiwysgimjxrntrlc.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\vojfeyosoeiondzxffbupl.exe	xsglwjgvhcq.exe
File created	C:\Windows\vojfeyosoeiondzxffbupl.exe	xsglwjgvhcq.exe
File created	C:\Windows\ewqljcrupehmkzuryxske.exe	xsglwjgvhcq.exe
File opened for modification	C:\Windows\cskdzqdexklokxqlqng.exe	psxdmq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3048	psxdmq.exe
3048	psxdmq.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	psxdmq.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 2848	3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe	84
PID 3192 wrote to memory of 2848	3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe	84
PID 3192 wrote to memory of 2848	3192	c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe	84
PID 2848 wrote to memory of 3048	2848	xsglwjgvhcq.exe	85
PID 2848 wrote to memory of 3048	2848	xsglwjgvhcq.exe	85
PID 2848 wrote to memory of 3048	2848	xsglwjgvhcq.exe	85
PID 2848 wrote to memory of 1116	2848	xsglwjgvhcq.exe	86
PID 2848 wrote to memory of 1116	2848	xsglwjgvhcq.exe	86
PID 2848 wrote to memory of 1116	2848	xsglwjgvhcq.exe	86

System policy modification 1 TTPs 39 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	psxdmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	psxdmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xsglwjgvhcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	psxdmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	psxdmq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xsglwjgvhcq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xsglwjgvhcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	psxdmq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	psxdmq.exe

C:\Users\Admin\AppData\Local\Temp\c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe
"C:\Users\Admin\AppData\Local\Temp\c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Local\Temp\xsglwjgvhcq.exe
  "C:\Users\Admin\AppData\Local\Temp\xsglwjgvhcq.exe" "c:\users\admin\appdata\local\temp\c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\psxdmq.exe
    "C:\Users\Admin\AppData\Local\Temp\psxdmq.exe" "-c:\users\admin\appdata\local\temp\c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3048
- - C:\Users\Admin\AppData\Local\Temp\psxdmq.exe
    "C:\Users\Admin\AppData\Local\Temp\psxdmq.exe" "-c:\users\admin\appdata\local\temp\c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bodtmakiyiggzjzr.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cskdzqdexklokxqlqng.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewqljcrupehmkzuryxske.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwmdxmxwnyxysdunq.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgztqiwysgimjxrntrlc.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\psxdmq.exe

Filesize
696KB

MD5
7bf458492f85aa2a2534a93274c8b1bb

SHA1
26866c2a00052092b468a2cbf21fb184b313c43c

SHA256
8cc55becc1601265aa3ecc33ee51d4a067e41c79995e52c61a6e13171627ef1e

SHA512
2825e9e9c375a4d118cafb9d26b9154f3d2f61eda37ca4021a7bd881682da455cd8f913c88ac0b7d4748e6d7fa66cf35dc7706d2be5b4b689e4be38bf1878819

Download Submit
C:\Users\Admin\AppData\Local\Temp\psxdmq.exe

Filesize
696KB

MD5
7bf458492f85aa2a2534a93274c8b1bb

SHA1
26866c2a00052092b468a2cbf21fb184b313c43c

SHA256
8cc55becc1601265aa3ecc33ee51d4a067e41c79995e52c61a6e13171627ef1e

SHA512
2825e9e9c375a4d118cafb9d26b9154f3d2f61eda37ca4021a7bd881682da455cd8f913c88ac0b7d4748e6d7fa66cf35dc7706d2be5b4b689e4be38bf1878819

Download Submit
C:\Users\Admin\AppData\Local\Temp\psxdmq.exe

Filesize
696KB

MD5
7bf458492f85aa2a2534a93274c8b1bb

SHA1
26866c2a00052092b468a2cbf21fb184b313c43c

SHA256
8cc55becc1601265aa3ecc33ee51d4a067e41c79995e52c61a6e13171627ef1e

SHA512
2825e9e9c375a4d118cafb9d26b9154f3d2f61eda37ca4021a7bd881682da455cd8f913c88ac0b7d4748e6d7fa66cf35dc7706d2be5b4b689e4be38bf1878819

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgxpkammeqqsnzrlpl.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vojfeyosoeiondzxffbupl.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsglwjgvhcq.exe

Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xsglwjgvhcq.exe

Filesize
308KB

MD5
85cb856b920e7b0b7b75115336fc2af2

SHA1
1d1a207efec2f5187583b652c35aef74ee4c473f

SHA256
6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62

SHA512
120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

Download Submit
C:\Windows\SysWOW64\bodtmakiyiggzjzr.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\SysWOW64\cskdzqdexklokxqlqng.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\SysWOW64\ewqljcrupehmkzuryxske.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\SysWOW64\iwmdxmxwnyxysdunq.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\SysWOW64\pgztqiwysgimjxrntrlc.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\SysWOW64\rgxpkammeqqsnzrlpl.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\SysWOW64\vojfeyosoeiondzxffbupl.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\bodtmakiyiggzjzr.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\bodtmakiyiggzjzr.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\cskdzqdexklokxqlqng.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\cskdzqdexklokxqlqng.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\ewqljcrupehmkzuryxske.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\ewqljcrupehmkzuryxske.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\iwmdxmxwnyxysdunq.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\iwmdxmxwnyxysdunq.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\pgztqiwysgimjxrntrlc.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\pgztqiwysgimjxrntrlc.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\rgxpkammeqqsnzrlpl.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\rgxpkammeqqsnzrlpl.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\vojfeyosoeiondzxffbupl.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit
C:\Windows\vojfeyosoeiondzxffbupl.exe

Filesize
452KB

MD5
52beba36bc5b371193ec2a93a7986bbf

SHA1
47329ebd38f5baa4a6d47d552ae9a0ddfcf64305

SHA256
c3f3c5ed5a1d415fbbdf313d10d031b130560c343740e2140716c675bb555065

SHA512
86977dca1444ff9c75562e16123ac74989cc375103fde83d7746068f70e772f5f2a432bd414a62e392257f1e277b6657dc18866d83a421e456472c2a57cd2e3d

Download Submit